Analysis
-
max time kernel
2s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25/12/2023, 10:37
General
-
Target
17c45cf65758d32945a2a4a54023c5e4.exe
-
Size
1.7MB
-
MD5
17c45cf65758d32945a2a4a54023c5e4
-
SHA1
818c297d28a0fe90ecddf1702c12add295879fb9
-
SHA256
4419f250749ada6e8a0d565652828019dddb5b1a5a4e0aa339972120fa2477af
-
SHA512
6cebec9983ca0e473d7936415a1d68cb6b288b104b5a8e670f9ee1752fbf8a10e3d0be32e9f5941c3e83ca7b773fd0af839651f3c9738fa11fa204b18534d0a0
-
SSDEEP
24576:UuhaseZJ8NI85eZJ8NI8DerQZb+md4wm2eZJ8NI85eZJ8NI8DerQZb+md4wmJdt4:bk8u8DerQZbd2r8u8DerQZbd2VdG
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Runs regedit.exe 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 16 IoCs
Processes
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Users\Admin\AppData\Local\Temp\17c45cf65758d32945a2a4a54023c5e4.exe"C:\Users\Admin\AppData\Local\Temp\17c45cf65758d32945a2a4a54023c5e4.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y2⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y3⤵
-
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f2⤵
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\regedt32.sys2⤵
- Runs regedit.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system\KavUpda.exeC:\Windows\system\KavUpda.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\system32\reg.exe delete "hklm\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}" /f3⤵
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config wscsvc start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop 360timeprot /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y3⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 1:00:48 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:57:48 AM C:\Windows\Sysinf.bat3⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 12:58:46 AM C:\Windows\Help\HelpCat.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d4⤵
- Views/modifies file attributes
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir F:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r F:\Autorun.inf\*.* /s /d3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c rmdir C:\Autorun.inf /s /q3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c attrib -s -h -r C:\Autorun.inf\*.* /s /d3⤵
-
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config SharedAccess start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exeC:\Windows\system32\sc.exe config srservice start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\net.exenet.exe stop srservice /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wuauserv /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net.exenet.exe stop sharedaccess /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\net.exenet.exe stop wscsvc /y2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 1:00:45 AM C:\Windows\Sysinf.bat2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.execmd /c at 12:57:45 AM C:\Windows\Sysinf.bat2⤵
-
-
C:\Windows\SysWOW64\At.exeAt.exe 12:58:43 AM C:\Windows\Help\HelpCat.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\17c45cf65758d32945a2a4a54023c5e4~4.exe17c45cf65758d32945a2a4a54023c5e4~4.exe2⤵
-
-
C:\Windows\SysWOW64\net.exenet.exe start schedule /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule /y2⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Option.bat1⤵
-
C:\Windows\SysWOW64\at.exeat 12:57:45 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\at.exeat 1:00:45 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d2⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\at.exeat 1:00:48 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop 360timeprot /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop srservice /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wuauserv /y1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sharedaccess /y1⤵
-
C:\Windows\SysWOW64\at.exeat 12:57:48 AM C:\Windows\Sysinf.bat1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc /y1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r F:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h -r C:\Autorun.inf\*.* /s /d1⤵
- Views/modifies file attributes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5e7d7ec66bd61fac3843c98650b0c68f6
SHA1a15ae06e1be51038863650746368a71024539bac
SHA2566475d5ecc14fea090774be55723d2d52b7ec7670527a7dbd61edf28c77944cb8
SHA512ac9e9893f5a0af03957731445f63279085f164e9a968d706a99d13012e4459314a7ccc32dc48f62379d69e21a0953c13543c9ded38b5ad5fbc346aa442af1ae6
-
Filesize
381KB
MD5045d671d4b5c9d1502c5e229dbfa0a47
SHA19112037ef009e53b36acdcf7435db2a438e1d72a
SHA25601afeed4238d3206ca41b70acd99a7961431ac741972da7052837b48aa22488b
SHA5124d028adc29f9aa09991efc75871ae29aa714c52eed5b2ebe56f9452b371b0e0ba4c13b55262f9ea74a58a7d9399e4174de9603389459c4214f65fd69b94dea8c
-
Filesize
123B
MD5872f90ca85f69ec8a9d810473ac9802c
SHA13df32ff73f98ef05e877613ce770ecb2e927488f
SHA256ea4a78453a64e8ec93e94f5977d8b684eb3b52107bf62d711f167b176f71551a
SHA512f051a25befd41f5acbd781683a5f6a2b09b6700b2609d1704016d658e6c84996e18f49c144c0e722296651297a3a90ece56cfa679a8f923abba65e6a8ca4a090
-
Filesize
216KB